On 3/3/13 1:45 AM, Yair Zaslavsky wrote:
----- Original Message -----
From: "Keith Mitchell" <[email protected]>
To: "Itamar Heim" <[email protected]>
Cc: [email protected], "Juan Antonio Hernandez Fernandez" <[email protected]>, "Yair
Zaslavsky" <[email protected]>
Sent: Sunday, March 3, 2013 7:15:16 AM
Subject: Re: [Users] webadmin login issues with AD
On 3/2/13 11:57 PM, Itamar Heim wrote:
On 03/03/2013 06:41, Keith Mitchell wrote:
On 3/2/13 2:51 PM, Itamar Heim wrote:
On 01/03/2013 18:54, Keith Mitchell wrote:
I'm trying to get rhevm 3.1 (which seems to be pretty much ovirt
3.1
from what I can tell) authenticating against our active
directory
infrastructure bu am having some difficulty that I don't quite
understand and was hoping someone may know what is happening.
The server where rhevm/ovirt is running is a RHEL6 based server
that has
NIS configured (with user home directories mounted via
nfs/automounter). The userids in nis match the userids in our
ActiveDirectory server (in fact the passwords should match too
since
there is a sync between the two).
I added the Activedirectory server into ovirt (through
rhevm-manage-domains) and it is added/validated successfully. As
the
local admin user I can go in and search agains the active
directory, add
permissions, etc.
But... If I try to log into the webadmin/user portals with one
of the
active directory accounts it seems to hang... and I noticed that
it
seems to be trying to mount the home directory of a bunch of
users via
the automounter (perhaps its trying to mount everyones home
directory...
can't tell). This takes a super long time since the home
directories
are all across the world and nfs access to some of these
filesystems is
really slow... i'm not sure it will ever complete... certainly
not
before the user gives up.
Hi,
Currently, both search of users in specific domain + login perform both
authentication + authorization check + running ldap queries (
authorization is a part of the login).
It seems really odd to me that login takes you quite some time, and search of
users/groups does not.
What other info can you provide about the user you try to login to? Did you
give permissions to many entities?
At the moment there is just one AD account in the permissions and that
is my AD account. At first I added "Domain Users" to the permissions,
but I took that out and just stuck in my user account to see if that
helped. In ovirt, my account is part of the System (i.e. top-level) and
is give then SuperUser privilege, just like the local admin account.
My account is just a user account (no admin rights in the AD domain). I
am a member of quite a few groups on the AD domain but I wouldn't think
ovirt would care about that or need to query each group I am a member of.
Ultimately I was hoping to add the domain users group into the
permissions to let anyone in the domain have access :)
I used wireshark to sniff for the LDAP packets instead of just the
kerberos packets and during the "hang" it is sending constant ldap
packets back and forth.
Looks like its doing bind request, then it succeeds and then there is a
SASL-GSSAPI exchange followed by a connection close (i.e. FIN packet)
and then it starts all over again. Everything is encrypted so its
difficult to see anything in the packets.
On this particular sniff, the packets went back and forth for 10 minutes
and then they stopped and when I looked it had logged me into the GUI.
I don't usually wait that long. I have on occasion just left the window
up and sometimes it would eventually log me in and sometimes it never
logged me in... in the never cases the login window just stays there
spinning until I reload the web page... perhaps something timed out and
it gave up before the exchange finished.
Are there any debugs I can turn on in ovirt to have it spit out what its
doing?
_______________________________________________
Users mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/users
